feat: add v2 encrypt/decrypt support to WRW flows

bdesoky · bdesoky · commit b45de2b7a4de · 2026-05-21T17:43:42.000-04:00
Ticket: WCN-172
diff --git a/modules/abstract-eth/src/abstractEthLikeNewCoins.ts b/modules/abstract-eth/src/abstractEthLikeNewCoins.ts
@@ -1478,7 +1478,7 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
 
     if (!userKey.startsWith('xpub') && !userKey.startsWith('xprv')) {
       try {
-        userKey = this.bitgo.decrypt({
+        userKey = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -1497,7 +1497,7 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
       let backupPrv;
 
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
@@ -1670,7 +1670,7 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
 
     let userKeyPrv;
     try {
-      userKeyPrv = this.bitgo.decrypt({
+      userKeyPrv = await this.bitgo.decryptAsync({
         input: params.encryptedPrv,
         password: params.walletPassphrase,
       });
@@ -1749,7 +1749,7 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
     if (params.walletPassphrase) {
       if (!userKey.startsWith('xpub') && !userKey.startsWith('xprv')) {
         try {
-          userKeyPrv = this.bitgo.decrypt({
+          userKeyPrv = await this.bitgo.decryptAsync({
             input: userKey,
             password: params.walletPassphrase,
           });
diff --git a/modules/abstract-eth/src/ethLikeToken.ts b/modules/abstract-eth/src/ethLikeToken.ts
@@ -219,7 +219,7 @@ export class EthLikeToken extends AbstractEthLikeNewCoins {
     // Decrypt private keys from KeyCard values
     if (!userKey.startsWith('xpub') && !userKey.startsWith('xprv')) {
       try {
-        userKey = this.bitgo.decrypt({
+        userKey = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -239,7 +239,7 @@ export class EthLikeToken extends AbstractEthLikeNewCoins {
       let backupPrv;
 
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
diff --git a/modules/abstract-substrate/src/abstractSubstrateCoin.ts b/modules/abstract-substrate/src/abstractSubstrateCoin.ts
@@ -300,7 +300,7 @@ export class SubstrateCoin extends BaseCoin {
       // Decrypt private keys from KeyCard values
       let userPrv;
       try {
-        userPrv = this.bitgo.decrypt({
+        userPrv = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -311,7 +311,7 @@ export class SubstrateCoin extends BaseCoin {
 
       let backupPrv;
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
diff --git a/modules/sdk-api/src/encryptV2.ts b/modules/sdk-api/src/encryptV2.ts
@@ -1,8 +1,11 @@
 import { argon2id } from '@bitgo/argon2';
 import { base64String, boundedInt, decodeWithCodec } from '@bitgo/sdk-core';
-import { randomBytes } from 'crypto';
+import { randomBytes, webcrypto } from 'crypto';
 import * as t from 'io-ts';
 
+/** Web Crypto subtle — browser global in DOM; Node/Electron main must use `webcrypto`. */
+const subtle = globalThis.crypto?.subtle ?? webcrypto.subtle;
+
 /** Default Argon2id parameters per RFC 9106 second recommendation
  * @see https://www.rfc-editor.org/rfc/rfc9106#section-4
  */
@@ -80,7 +83,7 @@ async function argon2ToAesKey(
   params: { memorySize: number; iterations: number; parallelism: number }
 ): Promise<CryptoKey> {
   const keyBytes = await argon2Hash(password, salt, params);
-  return crypto.subtle.importKey('raw', keyBytes, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
+  return subtle.importKey('raw', keyBytes, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
 }
 
 export async function argon2ToHkdfKey(
@@ -89,11 +92,11 @@ export async function argon2ToHkdfKey(
   params: { memorySize: number; iterations: number; parallelism: number }
 ): Promise<CryptoKey> {
   const keyBytes = await argon2Hash(password, salt, params);
-  return crypto.subtle.importKey('raw', keyBytes, 'HKDF', false, ['deriveKey']);
+  return subtle.importKey('raw', keyBytes, 'HKDF', false, ['deriveKey']);
 }
 
 export function hkdfDeriveAesKey(hkdfKey: CryptoKey, hkdfSalt: Uint8Array, usage: KeyUsage): Promise<CryptoKey> {
-  return crypto.subtle.deriveKey(
+  return subtle.deriveKey(
     { name: 'HKDF', hash: 'SHA-256', salt: hkdfSalt, info: HKDF_INFO },
     hkdfKey,
     { name: 'AES-GCM', length: 256 },
@@ -110,7 +113,7 @@ export async function aesGcmEncrypt(
 ): Promise<Uint8Array> {
   const params: AesGcmParams = { name: 'AES-GCM', iv, tagLength: 128 };
   if (additionalData) params.additionalData = additionalData;
-  const ct = await crypto.subtle.encrypt(params, key, new TextEncoder().encode(plaintext));
+  const ct = await subtle.encrypt(params, key, new TextEncoder().encode(plaintext));
   return new Uint8Array(ct);
 }
 
@@ -122,7 +125,7 @@ export async function aesGcmDecrypt(
 ): Promise<string> {
   const params: AesGcmParams = { name: 'AES-GCM', iv, tagLength: 128 };
   if (additionalData) params.additionalData = additionalData;
-  const plaintext = await crypto.subtle.decrypt(params, key, ct);
+  const plaintext = await subtle.decrypt(params, key, ct);
   return new TextDecoder().decode(plaintext);
 }
 
diff --git a/modules/sdk-coin-ada/src/ada.ts b/modules/sdk-coin-ada/src/ada.ts
@@ -464,7 +464,7 @@ export class Ada extends BaseCoin {
       // Decrypt private keys from KeyCard values
       let userPrv;
       try {
-        userPrv = this.bitgo.decrypt({
+        userPrv = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -476,7 +476,7 @@ export class Ada extends BaseCoin {
 
       let backupPrv;
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
diff --git a/modules/sdk-coin-algo/src/algo.ts b/modules/sdk-coin-algo/src/algo.ts
@@ -883,8 +883,8 @@ export class Algo extends BaseCoin {
         throw new Error('bitgo public key from the keyCard is required for non-bitgo recovery');
       }
       try {
-        userPrv = this.bitgo.decrypt({ input: params.userKey, password: params.walletPassphrase });
-        backupPrv = this.bitgo.decrypt({ input: params.backupKey, password: params.walletPassphrase });
+        userPrv = await this.bitgo.decryptAsync({ input: params.userKey, password: params.walletPassphrase });
+        backupPrv = await this.bitgo.decryptAsync({ input: params.backupKey, password: params.walletPassphrase });
         const userKeyAddress = Utils.privateKeyToAlgoAddress(userPrv);
         const backupKeyAddress = Utils.privateKeyToAlgoAddress(backupPrv);
         txBuilder.numberOfRequiredSigners(2).setSigners([userKeyAddress, backupKeyAddress, params.bitgoKey]);
diff --git a/modules/sdk-coin-algo/test/unit/algo.ts b/modules/sdk-coin-algo/test/unit/algo.ts
@@ -919,7 +919,7 @@ describe('ALGO:', function () {
           },
           {
             message:
-              "unable to decrypt userKey or backupKey with the walletPassphrase provided, got error: password error - ccm: tag doesn't match",
+              'unable to decrypt userKey or backupKey with the walletPassphrase provided, got error: incorrect password',
           }
         );
       });
diff --git a/modules/sdk-coin-avaxc/src/avaxc.ts b/modules/sdk-coin-avaxc/src/avaxc.ts
@@ -635,7 +635,7 @@ export class AvaxC extends AbstractEthLikeNewCoins {
       : new optionalDeps.ethUtil.BN(this.setGasPrice(params.gasPrice));
     if (!userKey.startsWith('xpub') && !userKey.startsWith('xprv')) {
       try {
-        userKey = this.bitgo.decrypt({
+        userKey = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -654,7 +654,7 @@ export class AvaxC extends AbstractEthLikeNewCoins {
       let backupPrv;
 
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
diff --git a/modules/sdk-coin-dot/src/dot.ts b/modules/sdk-coin-dot/src/dot.ts
@@ -410,7 +410,7 @@ export class Dot extends BaseCoin {
       // Decrypt private keys from KeyCard values
       let userPrv;
       try {
-        userPrv = this.bitgo.decrypt({
+        userPrv = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -422,7 +422,7 @@ export class Dot extends BaseCoin {
 
       let backupPrv;
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
diff --git a/modules/sdk-coin-etc/src/etc.ts b/modules/sdk-coin-etc/src/etc.ts
@@ -89,7 +89,7 @@ export class Etc extends AbstractEthLikeCoin {
 
     if (!userKey.startsWith('xpub') && !userKey.startsWith('xprv')) {
       try {
-        userKey = this.bitgo.decrypt({
+        userKey = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -108,7 +108,7 @@ export class Etc extends AbstractEthLikeCoin {
       let backupPrv;
 
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
diff --git a/modules/sdk-coin-eth/src/erc20Token.ts b/modules/sdk-coin-eth/src/erc20Token.ts
@@ -171,7 +171,7 @@ export class Erc20Token extends Eth {
     let userPrv;
     if (!userKey.startsWith('xpub') && !userKey.startsWith('xprv')) {
       try {
-        userPrv = this.bitgo.decrypt({
+        userPrv = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -191,7 +191,7 @@ export class Erc20Token extends Eth {
       let backupPrv;
 
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
diff --git a/modules/sdk-coin-eth/src/erc721Token.ts b/modules/sdk-coin-eth/src/erc721Token.ts
@@ -171,7 +171,7 @@ export class Erc721Token extends Eth {
     let userPrv;
     if (!userKey.startsWith('xpub') && !userKey.startsWith('xprv')) {
       try {
-        userPrv = this.bitgo.decrypt({
+        userPrv = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -191,7 +191,7 @@ export class Erc721Token extends Eth {
       let backupPrv;
 
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
diff --git a/modules/sdk-coin-eth/src/eth.ts b/modules/sdk-coin-eth/src/eth.ts
@@ -208,7 +208,7 @@ export class Eth extends AbstractEthLikeNewCoins {
       : new optionalDeps.ethUtil.BN(this.setGasPrice(params.gasPrice));
     if (!isUnsignedSweep) {
       try {
-        userKey = this.bitgo.decrypt({
+        userKey = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -229,7 +229,7 @@ export class Eth extends AbstractEthLikeNewCoins {
       let backupPrv;
 
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
diff --git a/modules/sdk-coin-ethlike/test/fixtures/ethlikeCoin.ts b/modules/sdk-coin-ethlike/test/fixtures/ethlikeCoin.ts
@@ -82,10 +82,7 @@ export const ccr = {
   },
 };
 export const encryptedUserKey =
-  '{"iv":"VFZ3jvXhxo1Z+Yaf2MtZnA==","v":1,"iter":10000,"ks":256,"ts":64,"mode"\n' +
-  ':"ccm","adata":"","cipher":"aes","salt":"p+fkHuLa/8k=","ct":"hYG7pvljLIgCjZ\n' +
-  '53PBlCde5KZRmlUKKHLtDMk+HJfuU46hW+x+C9WsIAO4gFPnTCvFVmQ8x7czCtcNFub5AO2otOG\n' +
-  'OsX4GE2gXOEmCl1TpWwwNhm7yMUjGJUpgW6ZZgXSXdDitSKi4V/hk78SGSzjFOBSPYRa6I="}\n';
+  '{"iv":"VFZ3jvXhxo1Z+Yaf2MtZnA==","v":1,"iter":10000,"ks":256,"ts":64,"mode":"ccm","adata":"","cipher":"aes","salt":"p+fkHuLa/8k=","ct":"hYG7pvljLIgCjZ53PBlCde5KZRmlUKKHLtDMk+HJfuU46hW+x+C9WsIAO4gFPnTCvFVmQ8x7czCtcNFub5AO2otOGOsX4GE2gXOEmCl1TpWwwNhm7yMUjGJUpgW6ZZgXSXdDitSKi4V/hk78SGSzjFOBSPYRa6I="}';
 
 export const custodialHot = {
   hteth: {
diff --git a/modules/sdk-coin-hbar/src/hbar.ts b/modules/sdk-coin-hbar/src/hbar.ts
@@ -597,8 +597,8 @@ export class Hbar extends BaseCoin {
     let backUp: string | undefined;
     if (!isUnsignedSweep) {
       try {
-        userPrv = this.bitgo.decrypt({ input: params.userKey, password: params.walletPassphrase });
-        backUp = this.bitgo.decrypt({ input: params.backupKey, password: params.walletPassphrase });
+        userPrv = await this.bitgo.decryptAsync({ input: params.userKey, password: params.walletPassphrase });
+        backUp = await this.bitgo.decryptAsync({ input: params.backupKey, password: params.walletPassphrase });
       } catch (e) {
         throw new Error(
           'unable to decrypt userKey or backupKey with the walletPassphrase provided, got error: ' + e.message
diff --git a/modules/sdk-coin-hbar/test/unit/hbar.ts b/modules/sdk-coin-hbar/test/unit/hbar.ts
@@ -1136,7 +1136,7 @@ describe('Hedera Hashgraph:', function () {
           },
           {
             message:
-              "unable to decrypt userKey or backupKey with the walletPassphrase provided, got error: password error - ccm: tag doesn't match",
+              'unable to decrypt userKey or backupKey with the walletPassphrase provided, got error: incorrect password',
           }
         );
       });
diff --git a/modules/sdk-coin-iota/src/iota.ts b/modules/sdk-coin-iota/src/iota.ts
@@ -823,15 +823,15 @@ export class Iota extends BaseCoin {
     // Decrypt private keys from KeyCard values
     let userPrv: string;
     try {
-      userPrv = this.bitgo.decrypt({ input: userKey, password: params.walletPassphrase });
+      userPrv = await this.bitgo.decryptAsync({ input: userKey, password: params.walletPassphrase });
     } catch (e) {
       throw new Error(`Error decrypting user keychain: ${(e as Error).message}`);
     }
     const userSigningMaterial = JSON.parse(userPrv) as EDDSAMethodTypes.UserSigningMaterial;
 
     let backupPrv: string;
     try {
-      backupPrv = this.bitgo.decrypt({ input: backupKey, password: params.walletPassphrase });
+      backupPrv = await this.bitgo.decryptAsync({ input: backupKey, password: params.walletPassphrase });
     } catch (e) {
       throw new Error(`Error decrypting backup keychain: ${(e as Error).message}`);
     }
diff --git a/modules/sdk-coin-near/src/near.ts b/modules/sdk-coin-near/src/near.ts
@@ -654,7 +654,7 @@ export class Near extends BaseCoin {
     // Decrypt private keys from KeyCard values
     let userPrv;
     try {
-      userPrv = this.bitgo.decrypt({
+      userPrv = await this.bitgo.decryptAsync({
         input: userKey,
         password: params.walletPassphrase,
       });
@@ -666,7 +666,7 @@ export class Near extends BaseCoin {
 
     let backupPrv;
     try {
-      backupPrv = this.bitgo.decrypt({
+      backupPrv = await this.bitgo.decryptAsync({
         input: backupKey,
         password: params.walletPassphrase,
       });
diff --git a/modules/sdk-coin-polyx/src/polyx.ts b/modules/sdk-coin-polyx/src/polyx.ts
@@ -201,7 +201,7 @@ export class Polyx extends SubstrateCoin {
       // Decrypt private keys from KeyCard values
       let userPrv;
       try {
-        userPrv = this.bitgo.decrypt({
+        userPrv = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -212,7 +212,7 @@ export class Polyx extends SubstrateCoin {
 
       let backupPrv;
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
diff --git a/modules/sdk-coin-sol/src/sol.ts b/modules/sdk-coin-sol/src/sol.ts
@@ -1397,7 +1397,7 @@ export class Sol extends BaseCoin {
       let userPrv;
 
       try {
-        userPrv = this.bitgo.decrypt({
+        userPrv = await this.bitgo.decryptAsync({
           input: userKey,
           password: params.walletPassphrase,
         });
@@ -1409,7 +1409,7 @@ export class Sol extends BaseCoin {
 
       let backupPrv;
       try {
-        backupPrv = this.bitgo.decrypt({
+        backupPrv = await this.bitgo.decryptAsync({
           input: backupKey,
           password: params.walletPassphrase,
         });
@@ -1718,7 +1718,7 @@ export class Sol extends BaseCoin {
     let userPrv;
 
     try {
-      userPrv = this.bitgo.decrypt({
+      userPrv = await this.bitgo.decryptAsync({
         input: userKey,
         password: params.walletPassphrase,
       });
@@ -1730,7 +1730,7 @@ export class Sol extends BaseCoin {
 
     let backupPrv;
     try {
-      backupPrv = this.bitgo.decrypt({
+      backupPrv = await this.bitgo.decryptAsync({
         input: backupKey,
         password: params.walletPassphrase,
       });
diff --git a/modules/sdk-coin-sol/test/unit/sol.ts b/modules/sdk-coin-sol/test/unit/sol.ts
diff --git a/modules/sdk-coin-sui/src/sui.ts b/modules/sdk-coin-sui/src/sui.ts
diff --git a/modules/sdk-coin-ton/src/ton.ts b/modules/sdk-coin-ton/src/ton.ts
diff --git a/modules/sdk-coin-ton/test/unit/ton.ts b/modules/sdk-coin-ton/test/unit/ton.ts
diff --git a/modules/sdk-coin-xlm/src/getStellarKeys.ts b/modules/sdk-coin-xlm/src/getStellarKeys.ts
diff --git a/modules/sdk-coin-xlm/src/xlm.ts b/modules/sdk-coin-xlm/src/xlm.ts
diff --git a/modules/sdk-coin-xtz/src/xtz.ts b/modules/sdk-coin-xtz/src/xtz.ts

Original file line number	Diff line number	Diff line change
`@@ -919,7 +919,7 @@ describe('ALGO:', function () {`
`919`	`919`	`},`
`920`	`920`	`{`
`921`	`921`	`message:`
`922`		`- "unable to decrypt userKey or backupKey with the walletPassphrase provided, got error: password error - ccm: tag doesn't match",`
	`922`	`+ 'unable to decrypt userKey or backupKey with the walletPassphrase provided, got error: incorrect password',`
`923`	`923`	`}`
`924`	`924`	`);`
`925`	`925`	`});`